[00:02.260 --> 00:10.040]  All right, we are now live. Chris, thank you very much for keynoting the first virtual SafeMode
[00:10.040 --> 00:17.240]  DEF CON ICS Village. It has been a lot of work. I think it was really great how you set out both...
[00:19.200 --> 00:21.240]  I'm sorry, I'm getting some feedback.
[00:22.460 --> 00:30.240]  There we go, sorry. How you set out both the way that the strategy has changed,
[00:30.240 --> 00:33.620]  acknowledging how government has to be different, and then extending the hand
[00:33.620 --> 00:39.180]  to the community. And so the first question is, why now? What's changed?
[00:40.760 --> 00:46.700]  Hey, thanks. So first off, let me... First, thanks to you. Thanks to the ICS Village for having me
[00:46.700 --> 01:00.220]  on. I got to admit, it is painful watching recordings of your own remarks in what's,
[01:00.220 --> 01:06.740]  I looked like a hostage in that feed. This is more of a natural setup. You, on the other hand,
[01:06.740 --> 01:13.300]  Bryson, we could spruce up, I think, your setup there a little bit. So I'll help you on that
[01:13.300 --> 01:20.680]  front. I've got the important things. I know, I'm jealous. I got it. Hey, I got my aerospace badge
[01:20.680 --> 01:27.700]  the other night, so I'm excited about that. So what changed? I think it's... I don't think anything
[01:27.700 --> 01:33.660]  necessarily changed overnight. I think it was more of an agency coming into its own and trying
[01:33.660 --> 01:39.660]  to figure out, you know, A, what Congress asks us to do, and B, the, you know, the special authorities
[01:39.660 --> 01:47.260]  and relationships that we've had. We've been in the ICS space for years. And if, you know,
[01:47.260 --> 01:53.840]  in fact, we had an announcement earlier today, I mentioned the Control Systems Interagency Working
[01:53.840 --> 01:58.460]  Group, the private sector co-chair, we announced that just simultaneously. And that's Marty Edwards
[01:58.960 --> 02:02.380]  from Tenable. Marty Edwards has obviously been around for quite a long time. In fact,
[02:02.380 --> 02:08.580]  he was an employee of a predecessor organization to CISA running our ICS CERT capability.
[02:08.640 --> 02:13.740]  So we've been here, but again, I think what it was more about is a philosophy change here at the
[02:13.740 --> 02:21.380]  agency about being bridge builders, about connecting the dots. And that's in part, I think, just kind
[02:21.380 --> 02:28.960]  of my style, my, you know, the way I always operate. I'm a middle child, always seeking to build people,
[02:28.960 --> 02:34.920]  you know, bridges, relationships, compromises, and not being adversarial. And I think this is a
[02:35.820 --> 02:39.940]  community that kind of, I think, shares that mentality and approach is just looking for
[02:39.940 --> 02:45.420]  that hand for the pull-up. So again, I think we've got a number of different things
[02:45.420 --> 02:50.760]  that we're trying to do here. And one of the big takeaways that I had from the speech is
[02:51.920 --> 02:56.500]  democratizing security in the control system space, that the gap between the haves and the
[02:56.500 --> 03:02.240]  have-nots is pretty remarkable. So what I'm looking to do is not just make sure that the bigs
[03:02.240 --> 03:08.660]  are in into the party, but the fact that we can roll out into rural communities in water sector,
[03:08.660 --> 03:12.800]  water facilities, the 30,000 plus water treatment facilities across the country,
[03:12.800 --> 03:17.260]  and make sure that they have access to training, resources, and capabilities. Not trying to take
[03:17.260 --> 03:20.980]  anything over here. They're still going to be responsible for their security, whatever we can
[03:20.980 --> 03:26.920]  do. So we've got a couple concepts between the control environment lab, resource to seller
[03:27.740 --> 03:32.800]  capability, but also looking to put some people on wheels moving around the country and, you know,
[03:32.800 --> 03:40.440]  again, bringing that last mile delivery on ICS training. Yeah, so I appreciate the kudos
[03:40.920 --> 03:46.760]  to Timmy and to several others, certainly with the village. It's a team sport. I couldn't do
[03:46.760 --> 03:52.520]  it without Tom Van Norman, who has done the lion's share of the CTF work, including
[03:52.520 --> 03:57.900]  integrating CISA into that, along with all the volunteers we have and all of the legends that
[03:57.900 --> 04:04.540]  we follow on from before. And so with that, opening the aperture for team and democracy,
[04:04.540 --> 04:08.660]  how can small and mid-sized businesses get more involved with these efforts?
[04:08.660 --> 04:13.080]  The CISA calls during COVID have been a fantastic resource for situational awareness.
[04:13.080 --> 04:16.560]  How can people get more involved in the R&D to bridge the gaps?
[04:17.320 --> 04:24.840]  Yeah, so a few things here. First is, first, I like hearing that the calls that we do during
[04:24.840 --> 04:30.300]  COVID, just so everybody's tracking Tuesday, Thursdays for the first, I don't know, 15
[04:30.300 --> 04:35.380]  months of COVID, however long it was, six or seven months, we did Tuesday, Wednesday calls,
[04:35.380 --> 04:40.120]  broad stakeholders open. We're averaging anywhere, you know, the highest number, I think we had about
[04:40.120 --> 04:45.480]  10,000 connections, and that's winnowed down over time. Now we're at every other week.
[04:45.480 --> 04:52.100]  But the idea there is to make sure that we can bring a set of resources, educational information
[04:52.100 --> 04:58.220]  sharing, technical guidance to the broader community. And that's not just us, but it's CDC,
[04:58.220 --> 05:03.360]  HHS, FEMA, anyone else. And we've done that for other events too. If you recall back at
[05:03.360 --> 05:09.000]  the beginning of the year with Iran, we did a couple calls there as well. The first evening
[05:09.000 --> 05:15.900]  call we had, you know, 6,000 plus folks on a Friday afternoon, Friday, Friday, 6pm call Eastern.
[05:16.140 --> 05:21.560]  And to me, again, it's, hey, here's what's going on in the world. Here is the background on the
[05:21.560 --> 05:26.040]  Iranian actors. Here are the things that we're worried about. And you should probably be worried
[05:26.040 --> 05:29.700]  about and covering down on over the weekend. Yeah, sorry to do this to you over the weekend. But
[05:29.700 --> 05:35.360]  that's just kind of how life is right now. So again, the idea is to be able to quickly engage.
[05:35.360 --> 05:40.200]  We've built partnership mechanisms and distribution mechanisms. Over the years,
[05:40.200 --> 05:45.300]  we got 10s of 1000s of partners in these programs, but that's not nearly enough.
[05:45.300 --> 05:49.940]  We have a lot of room left to cover or ground left to cover in terms of bringing people in. So
[05:49.940 --> 05:56.120]  we'll continue doing these. We'll continue doing those calls. We're going to continue to do things
[05:56.120 --> 06:01.540]  like the ICS JWG, which is open to everybody. It's free of charge. It's virtual now. So there's
[06:01.540 --> 06:06.860]  really no barrier to entry. Since it's streaming online, if you got a connection to the internet,
[06:06.860 --> 06:10.940]  you should be able to tap in. We also have our cyber security summit, our third annual cyber
[06:10.940 --> 06:16.480]  security summit later this year, which is also going to be in safe mode, which is going to be
[06:16.480 --> 06:22.260]  about two to three hours of programming once a week on a I think it's on a Wednesday. And what's
[06:22.260 --> 06:28.300]  the first day there, September? I'll come back around on that. But it's going to be four weeks
[06:28.300 --> 06:32.580]  in a row, every Wednesday, two to three hours of programming. Again, free of charge. We're going to
[06:32.580 --> 06:39.720]  be streaming it on the CISA.gov website. And so lots of opportunity. And from there, what we've
[06:39.720 --> 06:47.100]  got to do a better job of is communicating the specific, almost the equivalent of an API on how
[06:47.100 --> 06:54.620]  you hook in. Just a week or two ago, we released the CISA service catalog, which is an interactive
[06:54.620 --> 07:00.160]  tool so that you can kind of pick and choose, sort through the things that we provide. Again,
[07:00.160 --> 07:06.520]  training, education, guidance, best practices, so that an organization of any stripe or capability
[07:07.080 --> 07:11.280]  can plug in. And that'll, you know, get you into some of the other things we can do, like
[07:14.260 --> 07:17.360]  have a protective security advisor, cyber security advisor,
[07:17.360 --> 07:19.820]  sit down with you and walk you through a good plan.
[07:21.160 --> 07:27.040]  Do you have any suggestions for how CISA can help push for critical infrastructure software updates
[07:27.040 --> 07:33.320]  where the current model of CVE vulnerability reporting and tools like OWASP scans do not show
[07:33.480 --> 07:38.820]  a problem in old, deprecated software platforms and tools? This would help open up the budget
[07:38.820 --> 07:45.920]  and get prioritization escalated. Yeah. So, I mean, this is some of the initial feedback we got
[07:45.920 --> 07:53.660]  through the cross-sector interagency working group. One issue was standards help improve
[07:54.800 --> 08:00.440]  government input and engagement on standards bodies, but that doesn't really help for stuff
[08:00.440 --> 08:05.320]  that's already deployed, the legacy systems. And in part, that's what we're trying to do
[08:05.320 --> 08:10.720]  through pillar two of our ICS strategy. Again, I made the point in my remarks of nobody wants,
[08:10.720 --> 08:14.080]  nobody's here to hear about a strategy. They want to hear about the things that we can do.
[08:14.080 --> 08:18.880]  And that's what we're trying to build towards is collaborate with the community to the extent we
[08:18.880 --> 08:25.540]  can do joint research, joint investment to get that defend today aspect of our mission space.
[08:25.880 --> 08:32.000]  So we get the tools out there, the visibility out there, transparency out there on currently
[08:32.000 --> 08:37.240]  deployed and then help to the extent possible transition over into more secure by design,
[08:37.240 --> 08:42.160]  secure by deployment technologies. But this is the real challenge because some of this stuff's
[08:42.160 --> 08:49.120]  hard to get to. You can't take the plant floor offline to do a swap out. So we've got to continue
[08:49.120 --> 08:55.760]  thinking through what some of the alternative options are. So as a two-year-old agency,
[08:55.760 --> 09:02.240]  you noted how young CEAS is, how is the process of recruiting ICS talent going? And can you discuss
[09:02.240 --> 09:10.620]  what you were doing or plan to do to grow future talent? Yeah, this is tricky, right?
[09:11.180 --> 09:19.860]  ICS talent is a unicorn out there right now. Oh, wait. Oh, there it is. Yeah.
[09:20.180 --> 09:29.360]  Is that new? I haven't seen the dark unicorn version. Yeah, this is new. Okay, nice.
[09:30.840 --> 09:33.200]  Bryson, seven months into COVID.
[09:36.900 --> 09:45.700]  So it's tricky, right? We are able to attract talent right now on a 1Z, 2Z basis,
[09:45.700 --> 09:49.500]  but that's not going to cut it. Our requirements are pretty dramatic.
[09:49.640 --> 09:55.020]  But it's also not about getting the people in the boots on the ground here. So first off,
[09:55.020 --> 09:59.200]  I have a philosophy. I want to be able to bring in as much talent as possible,
[09:59.200 --> 10:03.440]  I'm okay if after four or five years or three years or whatever it is,
[10:03.440 --> 10:10.100]  they spin out in the private sector. For me, it does a few things. One, it allows us to have an
[10:10.100 --> 10:14.700]  alumni network of folks that know how we work, the things we do. And then once they spin out into the
[10:14.700 --> 10:18.900]  private sector into the vendor community or the deployed community, they know how to work with us
[10:18.900 --> 10:24.420]  and they have an affinity and predisposition to work with us. Second, it allows us to provide
[10:24.420 --> 10:27.880]  training. So we're providing a lot of this training anyway, but if we do it here in-house,
[10:27.880 --> 10:34.300]  then we know that there's some degree of bar met or standardization and training for ICS security.
[10:34.380 --> 10:39.540]  Now, that's all well and good. You got to identify the talent as it comes up through. So we are
[10:39.540 --> 10:47.360]  working with colleges, universities, with various veterans programs to bring folks in. And in some
[10:47.360 --> 10:53.060]  cases, we can pay for tuition, scholarship for service is one program. But again, that assumes
[10:53.060 --> 10:58.440]  that at least that part assumes that people are going into the traditional education paths.
[10:58.520 --> 11:07.560]  And we are committed to a diverse and inclusive approach to bringing folks into the government
[11:07.560 --> 11:12.200]  and particularly this agency. So we're working with Congress. They've provided us some funding
[11:12.200 --> 11:17.560]  to set up a program that'll look more like a trade school or an institute-like approach. So
[11:17.560 --> 11:22.540]  it's not necessarily a four-year college, but maybe two years. And that'll, I think, get us
[11:22.540 --> 11:29.900]  into an entirely different population of potential employees. But more importantly,
[11:29.900 --> 11:34.780]  get more capability and training out there at the edge, rather than just thinking through the
[11:34.780 --> 11:40.680]  standard, you know, four-year college and university approach. So I know our time is
[11:40.680 --> 11:48.900]  almost up. Oh, sorry. I don't think... yeah, right there. Look, we're hiring all the time. So
[11:48.900 --> 11:56.380]  for any of our ICS resources, cisa.gov slash ICS. I realize the glare's probably bad. We'll fix that
[11:56.380 --> 12:03.560]  for the next one. But we are always hiring. We are a steady employment machine, not just here
[12:03.560 --> 12:10.060]  in the national capital region, but throughout this great country. So I just figured you've
[12:10.060 --> 12:15.340]  been writing your password back up there. So it'd be a typical OPSEC fun fail. One, two, three,
[12:15.340 --> 12:22.900]  four, five, six. Yeah, it's the same combination I have in my luggage. Three rapid-fire questions
[12:22.900 --> 12:29.040]  to close it out, because I know you're out of time, is you get to wave a non-internet connected
[12:29.040 --> 12:35.280]  magic wand. What is that one wish that you wish could happen? And then the final two questions is,
[12:35.280 --> 12:42.100]  next year, a non-internet connected magic wand is a crystal ball. What is one good thing and one bad
[12:42.100 --> 12:46.280]  thing that you think is going to happen in critical infrastructure in the next five years?
[12:47.100 --> 12:53.780]  Yeah, so one thing that we've heard pretty clearly from across the community is a need for some sort
[12:53.780 --> 13:03.660]  of, you know, Rosetta Stone of protocols within various ICS technology and equipment. So anything
[13:03.660 --> 13:10.360]  we can do on that front to enumerate all the protocols and have it just that much easier
[13:10.820 --> 13:17.120]  for the security and safety folks to understand what they're dealing with and be able to make
[13:17.120 --> 13:23.240]  good informed decisions. So that's on the list. What's a good thing that's coming? I think we're
[13:23.240 --> 13:28.480]  going to have a much better, in part through things like ICS for ICS and part through things
[13:28.480 --> 13:37.980]  like updating CVSS and the distilling down commonalities across vulnerabilities in various
[13:37.980 --> 13:46.560]  deployments. Again, have a more informed risk-based approach to decision making. On the
[13:46.560 --> 13:52.560]  bad side, you know, look, the more stuff that's getting plugged in, the more stuff that's getting
[13:52.560 --> 13:59.160]  remotely monitored, it is just additional attack surface. There will be bad moments. It's not
[13:59.160 --> 14:04.180]  always going to be cyber, but there very likely will be cyber because we know the adversary
[14:04.500 --> 14:12.620]  is taking a hard, hard look between China, Iran, and Russia. So we're just hoping that we can,
[14:12.620 --> 14:20.460]  you know, through whether it's layer defense or just risk management and consequence management,
[14:20.460 --> 14:26.100]  keep the boom small and keep the loss of life to zero.
[14:28.670 --> 14:34.270]  Chris, thank you for your time. Pleasure as always. We look forward to continued collaboration.
[14:35.070 --> 14:39.770]  Thanks, Bryson. Hey, stay safe, wear a mask. Thanks, folks.
